about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nix/readTree/default.nix3
-rw-r--r--ops/secrets/.skip-subtree2
-rw-r--r--ops/secrets/README.md1
-rw-r--r--ops/secrets/besadii.agebin0 -> 850 bytes
-rw-r--r--ops/secrets/secrets.nix12
5 files changed, 17 insertions, 1 deletions
diff --git a/nix/readTree/default.nix b/nix/readTree/default.nix
index 2ad8e40f6c28..5468d41fd2c7 100644
--- a/nix/readTree/default.nix
+++ b/nix/readTree/default.nix
@@ -100,7 +100,8 @@ let
       }) (filter filterDir (attrNames dir));
 
       # Import Nix files
-      nixFiles = filter (f: f != null) (map nixFileName (attrNames dir));
+      nixFiles = if hasAttr ".skip-subtree" dir then []
+        else filter (f: f != null) (map nixFileName (attrNames dir));
       nixChildren = map (c: let
         p = joinChild (c + ".nix");
         childParts = parts ++ [ c ];
diff --git a/ops/secrets/.skip-subtree b/ops/secrets/.skip-subtree
new file mode 100644
index 000000000000..80f63816f5ba
--- /dev/null
+++ b/ops/secrets/.skip-subtree
@@ -0,0 +1,2 @@
+The Nix configuration in here is read by agenix and not compatible
+with readTree.
diff --git a/ops/secrets/README.md b/ops/secrets/README.md
new file mode 100644
index 000000000000..e59b86541335
--- /dev/null
+++ b/ops/secrets/README.md
@@ -0,0 +1 @@
+TVL's deployment secrets, encrypted with [agenix](https://github.com/ryantm/agenix/commits/main)
diff --git a/ops/secrets/besadii.age b/ops/secrets/besadii.age
new file mode 100644
index 000000000000..b8a3a9b56f65
--- /dev/null
+++ b/ops/secrets/besadii.age
Binary files differdiff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
new file mode 100644
index 000000000000..1cf2b5e44a50
--- /dev/null
+++ b/ops/secrets/secrets.nix
@@ -0,0 +1,12 @@
+let
+  tazjin = [
+    # tverskoy
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1fGWz/gsq+ZeZXjvUrV+pBlanw1c3zJ9kLTax9FWQy"
+  ];
+
+  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
+
+  default.publicKeys = tazjin ++ [ whitby ];
+in {
+  "besadii.age" = default;
+}